Whaddya mean there’s no such thing as an unhackable device? John McAfee sputtered last week. I got a $100K bounty for anybody who can hack my spiffy, new, unbreakable breakthrough, the wowee-wow world’s first and only completely unhackable, most advanced digital thingie ever, cryptocurrency wallet!

For all you naysayers who claim that “nothing is unhackable” & who don’t believe that my Bitfi wallet is truly the… twitter.com/i/web/status/1…

Press are indeed claiming that the Bitfi wallet has been hacked. It was released the week prior to the hack/not-a-hack with great fanfare and greeted with great guffaws, as well as by people who decided to give the breakage a go.

As CNet reported on Friday, a “self-described IT geek in the Netherlands” who goes by the Twitter handle @OverSoftNL tweeted on Wednesday that they’d gained root access to the crypto-wallet. @OverSoftNL went on to say they had help from @cybergibbons, also known as Andrew Tierney, a security consultant at Pen Test Partners, and from Graham Sutherland (@gsuberland)… all three of whom got royally peeved at what Sutherland called a “clueless and misleading attitude to security.”

The wallet comes from antivirus software pioneer, former Belize man-about-town/government spy/fugitive, current US fugitive McAfee, together with hardware crypto-wallet maker Bitfi. McAfee (the man, not the brand owned by Intel Security) and Bitfi had claimed that the thing had “absolute” security.

For one thing, the “most sophisticated instrument in the world” turns out to be nothing more than a cheap touchscreen Android phone that’s been gutted – particularly, stripped of its cellular connectivity innards. What it has in their place is a touchscreen that uses a protocol that’s easily intercepted. As Pen Test Partners wrote in Part 1 of its Hacking the Bitfi series:

All you need is a logic analyser to capture the finger movements on the screen and therefore the wallet passphrase as it is entered on to the screen.

A lack of anti-tamper measures means that the back of the Bitfi can be popped off, the hardware reprogrammed or bugged, the case closed up again, and the handheld handed to a victim. Whatever passphrase they then type in can be captured and sent to an attacker via whatever backdoor they’ve built into it.

Rather, Bitfi’s bounty program defines a legitimate hack as one in which the hacker receives a Bitfi phone preloaded with $50 in crypto-coins, secured by an unknown passphrase, and gets the coins off the device.

The terms highlight what critics say is the device’s one genuine security feature: it doesn’t store the key needed to access the crypto-currency on the device itself.

But as Tierney put it, that means that the challenge only covers one specific method of theft: getting at the coins on a stolen device. That’s pretty narrow for something to be called “unhackable,” though.

In fact, Tierney says, the bounty is a sham:

The bounty deliberately only includes only one attack: key recovery from a genuine, unaltered device. And the device doesn’t store the key.

The only way to win the bounty is to recover a key from a device which doesn’t store a key.

The most obvious way to hack the device, he said:

Modifying the device so that it records and sends the key to a malicious third party. But this is excluded from the bounty. Why is this? Because the bounty is a sham.

But there are “many, many more attacks such a device is vulnerable to,” Tierney said.

On Friday, OverSoftNL echoed Tierney, dismissing the bounty as a “sham” and adding that the ability to gain root access does in fact mean that the wallet isn’t secure. Bitfi doesn’t “even have $250k free on hand at this moment,” they claimed.

Bitfi, which hadn’t responded to CNet’s request for comment as of Friday, also offered a second, $10,000 bounty with a plea for help. The tweet from CEO Daniel Khesin:

Dear friends, we’re announcing second bounty to help us assist potential security weaknesses of the Bitfi device. We would greatly appreciate assistance from the infosec community, we need help.

OverSoftNL called it chump change. Get real, they said, instead of trying to weasel out of paying for a real penetration test:

Them now offering a 2nd bounty which is MUCH lower is just laughable. They're basically trying to pay pennies on th… twitter.com/i/web/status/1…

John McAfee has since appeared in a promoted video (an advertisement) on Twitter explaining that his role is to drum up publicity for the Bitfi device and that there is no easier way to do that than with the instant controversy calling something “unhackable” creates.

So, is he right, and will you be rushing out to buy a Bitfi device to store your cryptocoins?

Post navigation

About the author

Lisa has been writing about technology, careers, science and health since 1995. She rose to the lofty heights of Executive Editor for eWEEK, popped out with the 2008 crash and joined the freelancer economy. Alongside Naked Security Lisa has written for CIO Mag, ComputerWorld, PC Mag, IT Expert Voice, Software Quality Connection, Time, and the US and British editions of HP's Input/Output.

“there is no easier way to do that than with the instant controversy calling something “unhackable” creates”

This is a very sad attempt at covering up a very big mistake. Would have been better if he just admitted he made a mistake, and moved on.

The logic he is using is no publicity is bad publicity, and if history proves anything, it is that this notion cannot be used in the world of IT security. What is this guy doing in the position he is in?

What position? He resigned from McAfee (the company) in 1994, and has since been doing ever more crazy publicity stunts. He’s not a security professional, he’s just a name that the public associate with computer security.